CVE-2021-47069
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry
do_mq_timedreceive calls wq_sleep with a stack local address. The sender (do_mq_timedsend) uses this address to later call pipelined_send.
This leads to a very hard to trigger race where a do_mq_timedreceive call might return and leave do_mq_timedsend to rely on an invalid address, causing the following crash:
RIP: 0010:wake_q_add_safe+0x13/0x60 Call Trace: __x64_sys_mq_timedsend+0x2a9/0x490 do_syscall_64+0x80/0x680 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f5928e40343
The race occurs as:
do_mq_timedreceive calls wq_sleep with the address of
struct ext_wait_queueon function stack (aliased asewq_addrhere) - it holds a validstruct ext_wait_queue *as long as the stack has not been overwritten.ewq_addrgets added to info->e_wait_q[RECV].list in wq_add, and do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call __pipelined_op.Sender calls __pipelined_op::smp_store_release(&this->state, STATE_READY). Here is where the race window begins. (
thisisewq_addr.)If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it will see
state == STATE_READYand break.do_mq_timedreceive returns, and
ewq_addris no longer guaranteed to be astruct ext_wait_queue *since it was on do_mq_timedreceive's stack. (Although the address may not get overwritten until another function happens to touch it, which means it can persist around for an indefinite time.)do_mq_timedsend::__pipelined_op() still believes
ewq_addris astruct ext_wait_queue *, and uses it to find a task_struct to pass to the wake_q_add_safe call. In the lucky case where nothing has overwrittenewq_addryet,ewq_addr->taskis the right task_struct. In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a bogus address as the receiver's task_struct causing the crash.
do_mq_timedsend::__pipelined_op() should not dereference this after
setting STATE_READY, as the receiver counterpart is now free to return.
Change __pipelined_op to call wake_q_add_safe on the receiver's
task_struct returned by get_task_struct, instead of dereferencing this
which sits on the receiver's stack.
As Manfred pointed out, the race potentially also exists in ipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix those in the same way.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | c5b2cbdbdac563f46ecd5e187253ab1abbd6fc04 < 4528c0c323085e645b8765913b4a7fd42cf49b65 | affected |
| Linux | Linux | c5b2cbdbdac563f46ecd5e187253ab1abbd6fc04 < 807fa14536b26803b858da878b643be72952a097 | affected |
| Linux | Linux | c5b2cbdbdac563f46ecd5e187253ab1abbd6fc04 < a11ddb37bf367e6b5239b95ca759e5389bb46048 | affected |
| Linux | Linux | 5.6 | affected |
| Linux | Linux | 0 < 5.6 | unaffected |
| Linux | Linux | 5.10.40 <= 5.10.* | unaffected |
| Linux | Linux | 5.12.7 <= 5.12.* | unaffected |
| Linux | Linux | 5.13 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/4528c0c323085e645b8765913b4a7fd42cf49b65
- https://git.kernel.org/stable/c/807fa14536b26803b858da878b643be72952a097
- https://git.kernel.org/stable/c/a11ddb37bf367e6b5239b95ca759e5389bb46048
References
- https://git.kernel.org/stable/c/4528c0c323085e645b8765913b4a7fd42cf49b65
- https://git.kernel.org/stable/c/807fa14536b26803b858da878b643be72952a097
- https://git.kernel.org/stable/c/a11ddb37bf367e6b5239b95ca759e5389bb46048
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.